A Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2018-015

DATE(S) ISSUED:

01/30/2018

OVERVIEW:

A vulnerability has been identified in Mozilla Firefox, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Successful exploitation of this vulnerability could allow for an attacker to execute arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

Mozilla Firefox versions prior to 58.0.1

RISK:

Government:

Large and medium government entities: HIGH

Small government entities: MEDIUM

Businesses:

Large and medium business entities: HIGH

Small business entities: MEDIUM

Home Users:

LOW

TECHNICAL SUMMARY:

A vulnerability has been identified in Mozilla Firefox, which could allow for arbitrary code execution. A Content Security Policy (CSP) is not properly enforced on chrome-privileged documents, which are used by extensions in Mozilla FireFox. An attacker could exploit this vulnerability by enticing a user running a vulnerable version of the application to follow a specially crafted link designed to trigger this issue.

Successful exploitation of this vulnerability could allow for an attacker to execute arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

The information we track while users are on our website is incorporated into improved services and analysis of our site’s performance and traffic; this may be combined with other information that you have provided. To learn more please see our Privacy Policy.